User permissions help!!!

A place to discuss and receive support for the Web Auction application.

User permissions help!!!

Postby milanm101 » Wed Sep 17, 2008 10:50 pm

Firstly, really cool software. I'm rather new to PHP & Databasaes, so I'm kinda stuck.

I'm busy setting up a webauction for a client. They need the administrator to be able to specify which products each user can bid on. Ideally, when a user registers, they shouldn't be allowed to bid on any products, only view them. Once the admin allows them to bid on the specific product, a notification email would be sent to the user. Is this possible?? Any help would be appreciated.
Posts: 7
Joined: Wed Sep 17, 2008 6:14 am

Postby shannah » Thu Sep 18, 2008 12:04 pm

This wouldn't be a difficult feature to add if you were comfortable with PHP/MySQL/Xataface development, however the system is not currently set up to work this way out of the box.

There are many ways to skin this cat, but the most logical way that comes to mind is to:
1. Add a table to track which users are allowed to bid on which products (it would have 2 columns: username and product_id).

2. Add some logic in the beforeSave() method of the tables/bids/bids.php file to check to make sure that the user has permission to bid on the product.

3. Modify the templates/view_product.html template to only show the bidding options if the user has permission to bid on the product.

4. Other minor changes to allow this to work.

Hope this helps.

Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby milanm101 » Thu Sep 18, 2008 12:27 pm

Hi Steve, thanx for the reply. I've got a partner that's a bit more skilled with php which helps. Creating the database is easy, the logic shouldn't be too hard to figure out.

How would we go about giving the site administrator an easy way of changing the users permissions, do we use relationships?

How would we change it so that new users have only view permissions?
Posts: 7
Joined: Wed Sep 17, 2008 6:14 am

Postby shannah » Thu Sep 18, 2008 12:41 pm

You could use relationships for this quite easily. Just make a relationship from the users table to the user_products table (assuming that your table to track product permissions is called user_products).

Then you could just use the "Add New user_products record" to add a product to the users 'allowed' list.

You could similarly do a relationship from the products table to the user_products table, if you wanted to do it from a different context.

Alternatively (or additionally) you could just add new records to that table directly by adding a tab for the user_products table (just add an entry to the [_tables] section of the conf.ini file for the user_products table).

If you make the appropriate changes to the templates and permissions to deny bidding access to users who don't have an entry in the user_products table, then users will by default only have "view" permissions but won't be able to bid.

Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby milanm101 » Mon Sep 22, 2008 2:18 am

Hi again...we've set up the table (user_products with username, product_id & idx fields). I've also set up the relationship so we can add entries into the database. Editing the view_products.html is where we're kind of stuck, we're not familiar with the syntax. How would we add an if statement to check whether the logged in username and current product have an entry in the user_products table?
Posts: 7
Joined: Wed Sep 17, 2008 6:14 am

Postby shannah » Mon Sep 22, 2008 2:02 pm

The cleanest way is probably to add a calculated field to the products table via its delegate class.

I.e. add a method in the tables/products/products.php file:

Code: Select all
function field__can_bid(&$record){
    $res = mysql_query("select * from user_products where username='".addslashes(getUsername())."' and product_id='".addslashes($record->val('product_id'))."' limit 1", df_db());
    if ( !$res ) trigger_error(mysql_error(df_db()), E_USER_ERROR);
    $numrows = mysql_num_rows($res);
    return ($numrows>0);

Then you can use this field on any product record as follows:
Code: Select all

to see whether the current user can bid on that product.

One example of where you would use this is in the templates/view_product.html, changing
Code: Select all
{if $product->val('isOpen') and $product->val('high_bidder') != getUsername()}

Code: Select all
{if $product->val('can_bid') and $product->val('isOpen') and $product->val('high_bidder') != getUsername()}
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby milanm101 » Wed Oct 01, 2008 3:10 am

Thanx again steve, we managed to get it all wprking. One little problem I've noticed now though, when a user tries to register and the username all reay exusts, it doesn't allow him, but it also doesn't show any error messages. The page just refreshes with all the fields still filled in. Any idea on why this would be? Seems like the function below is working, just not returning the error.

function beforeSave(&$record){
if ( $record->valueChanged('username') ){
$res = mysql_query("select count(*) from `users` where `username`='".addslashes($record->strval('username'))."'", df_db());
if ( !$res ) trigger_error(mysql_error(df_db()), E_USER_ERROR);
list($num) = mysql_fetch_row($res);
if ( $num > 0 ) return PEAR::raiseError("That username already exists. Please choose a different one.", DATAFACE_E_NOTICE);
Posts: 7
Joined: Wed Sep 17, 2008 6:14 am

Postby shannah » Wed Oct 01, 2008 4:55 pm

Thanks for posting this.... I'll have to look into it a bit to see why this is.

Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby milanm101 » Tue Oct 07, 2008 12:22 pm

Hi again...noticed another issue. Our activation emails only work on the local server (if the email address is on the same server as the site). The emails come from a generated address ( We've set up the admin_email and the notification_from_address in the conf.ini file, and I've tried changing the address to a few different ones, and it doesn't change. Could this be a problem with our installation??

Here's our conf.ini file:


;; The title that will show up in the web browser
title="Crown Pyramid Commodities"

;; Modify the Variables below to correspond with your database connection info
;; The hostname of the MySQL server

;; The name of the MySQL user

;; The MySQL user password

;; The name of the database



users_table = users
username_column = username
password_column = "password"
;ldap_host = ""
;ldap_port = "1389"
;ldap_base = "ou=people, o=SFU, c=CA"

;;------------- DF AUCTION SETTINGS ------------------------------------------
;; This section allows you to specify certain parameters for your auction
;; application.

;; The email address of the auction administrator. This address will receive
;; notifications when bids are made.
admin_email = ""

;; If email notifications are enabled, then this is the 'reply-to' address
;; that will appear in the email that is sent.
notification_from_address = ""

;; The closing time of the auction. This can be overridden on a product-to-
;; product basis by setting the closing_time values for
;; each product. If a product's closing time is left null, then it will
;; use this value as its closing time.
closing_time = "2008-10-13 17:00:00"

;; The minimum increment between bids. E.g. If the current bid is $10 and
;; the bid_increment is 5, then the next bid must be at least $15.
bid_increment = 5

;; The default status of bids. It is possible to set this to "PENDING", but
;; not recommended as this would create a lot of work for the administrators
;; to have to approve each bid that comes in before other bids can be made.
default_bid_status = "APPROVED"

;; The minimum bid allowed on products. Products may set their own minimum
;; bids as well.
minimum_bid = 5.00

;; The default closing time for products that are added. This is different
;; than the closing_time attribute above, in that this is only used as a default
;; value when adding a new product. The admin can still erase or change this
;; default value with a different value. The closing_time attribute is used
;; only if the product closing_time field is set to null.
default_closing_time = "2008-10-13 17:00:00"

;; The default opening time for products that are added.
default_opening_time = "2008-10-13 08:00:00"

;; Whether or not to send email notifications to bidders to confirm their bids.
;; 1 for 'YES' and 0 for 'NO'

;; Whether or not to send email notifications to the administrator when bids are
;; made. 0 for 'NO' and 1 for 'YES'

;;-------------- THEMES ---------------------------------------------------------
;; This section allows you to apply themes to this application. Themes may
;; be placed anywhere on your system. You just need to set the name and
;; path to the theme in this section.
;; The default theme is the SFU theme which uses the SFU common look and feel.

Posts: 7
Joined: Wed Sep 17, 2008 6:14 am

Postby shannah » Fri Oct 17, 2008 8:13 am

Check the settings by logging in as an admin and click on Auction Settings. These settings override those in the conf.ini file.

Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Postby milanm101 » Thu Oct 23, 2008 7:01 am

Hey again, we've figured out what the problem is...we need to add smtp authentication for the mails to go out. Is there an easy way of adding this in to the mail functions...we've played around with different versions of smtp auth code, but just can't seem to implement it into the sites code.

Posts: 7
Joined: Wed Sep 17, 2008 6:14 am

Postby shannah » Sat Oct 25, 2008 11:31 am

Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Return to Web Auction Discussion

Who is online

Users browsing this forum: Bing [Bot] and 1 guest

Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved